A firewall system employs signature validation hardware communicating via low level communication protocols and with inner and outer host computers, which have network protocol stacks and for implementing complex communication protocols with remote source and destination computers. The source computer has data checker and signature functionalities, which respectively check data and generate digital signatures for data to be transmitted. The inner host computer receives transmitted data and converts it to a lower protocol level at which the hardware operates. The hardware uses digital circuitry for protocols and checking. It validates signatures in data at a software application level, but only requires protocols that are simple and low level. The firewall system communicates with the source and destination computers via high performance connection media. The hardware itself communicates with the host computers also via high performance connection media, and avoids involvement with complex communications protocols which make other firewalls vulnerable.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A firewall system comprising: signature validation hardware for receiving data for validation and for indicating whether or not the data incorporates a valid signature; and the signature validation hardware provides a means for operating at software application level to ascertain data signature validity; an inner host computer for receiving data for validation by the signature validation hardware; and an outer host computer for transmitting validated data; the inner and outer host computers each implementing: a) complex communication protocols for communications to remote computer networks, and b) lower level communications protocols for communications to the signature validation hardware and the system being arranged such that all data for validation received by the inner host computer by means of the complex communication protocols is forwarded, via the validation hardware by means of communication links employing the lower level communication protocols, to the outer host for onward transmission by means of the complex communication protocols.
2. A firewall system according to claim 1 wherein the signature validation hardware has digital circuitry to implement protocol handling and to ascertain signature validity.
3. A firewall system according to claim 1 wherein the signature validation hardware incorporates means for applying a hash function to data to create a hash number and means for encrypting the hash number to generate a signature unique to such data for comparison with and in order to ascertain validity of the signature incorporated in the data.
4. A firewall system according to claim 3 wherein the means for applying a hash function to data incorporates a store in which data are stored sequentially for access in applying the hash function.
5. A firewall system according to claim 4 wherein the store is for outputting data in response to validation of the signature incorporated in the data.
6. A firewall system according to claim 3 wherein the means for applying a hash function to data accumulates a hash number by processing data sequentially in sections.
7. A firewall system according to claim 1 wherein at least one of the remote computer networks is responsible for applying complex checks to such data and applying a digital signature thereto.
8. A firewall system according to claim 1 for communicating via connection media.
9. A firewall system according to claim 1 wherein the signature validation hardware incorporates field programmable gate array circuitry.
10. A firewall system according to claim 1 wherein the signature validation hardware incorporates logic units controlled by firmware.
11. A firewall system according to claim 1 wherein the firmware is Harvard Architecture microcontroller firmware.
12. A firewall system according to claim 1 for data transfer in series with a second like firewall system providing protection against system failure.
13. A firewall system according to claim 1 for data transfer in parallel with and in the opposite direction to a second like firewall system providing for two-way communication.
14. A method of providing firewall protection comprising the steps of:— a) receiving, at an inner host computer, data for validation from a source computer system using complex communication protocols; b) converting the data to a form based on relatively lower level communication protocols; c) communicating the converted data, via a first communication link employing said lower level communication protocols, to signature validation hardware for indicating whether or not such data incorporates a valid signature, the signature validation hardware operating at software application level to ascertain data signature validity; and d) communicating data associated with a valid signature via a second communication link employing said lower level communication protocols, to an outer host computer system for onward transmission using complex communication protocols.
15. A method according to claim 14 wherein the signature validation hardware has digital circuitry to implement protocol handling and to ascertain signature validity.
16. A method according to claim 14 including the steps of:— a) using the signature validation hardware to apply a hash function to data to create a hash number; and b) encrypting the hash number to generate a signature unique to such data for comparison with and in order to ascertain validity of the signature incorporated in the data.
17. A method according to claim 16 wherein the step of applying a hash function incorporates storing data in a store sequentially for access in applying the hash function.
18. A method according to claim 16 wherein the step of using the signature validation hardware to apply a hash function to data includes accumulating a hash number by processing data sequentially in sections.
19. A computer software product comprising a computer readable non-transitory medium containing computer readable instructions for controlling operation of computer apparatus to provide firewall protection, wherein the computer readable instructions provide a means for controlling the computer apparatus to: a) receive data for validation, at an inner host computer, from a source computer system using complex communication protocols; b) convert the data to a form based on relatively lower level communication protocols; c) communicate the converted data, via a first communication link employing said lower level communication protocols, to signature validation hardware for indicating whether or not such data incorporates a valid signature, the signature validation hardware operating at software application level to ascertain data signature validity; and d) communicate data associated with a valid signature, via a second communication link employing said lower level communication protocols, to an outer host computer system for onward transmission using complex communication protocols.
20. A computer software product according to claim 19 wherein the computer readable instructions also provide a means for controlling the computer apparatus to communicate with the signature validation hardware and the source and destination computer systems media links.
21. A computer software product according to claim 19 wherein the signature validation hardware has digital circuitry to implement protocol handling and to ascertain signature validity.
22. A computer software product according to claim 19 wherein the computer readable instructions also provide a means for controlling the computer apparatus to:— a) use the signature validation hardware to apply a hash function to data to create a hash number; and b) encrypt the hash number to generate a signature unique to such data for comparison with and in order to ascertain validity of the signature incorporated in the data.
23. A computer software product according to claim 22 wherein the computer readable instructions also provide a means for controlling the computer apparatus to use the signature validation hardware to apply a hash function by a procedure which incorporates storing data in a store sequentially for access in applying the hash function.
24. A computer software product according to claim 22 wherein the computer readable instructions also provide a means for controlling the computer apparatus to apply a hash function to data by a procedure which includes accumulating a hash number by processing data sequentially in sections.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
May 12, 2005
January 31, 2012
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.